Genie's Tech Blog

Where knowledge has no dimensions

Inter-VRF Routing

Hello All,

Today, I will be discussing about VRF-Lite and will also be discussing one of the designs using BGP which have been seen in real world deployments which is the Inter-VRF Routing. Lets first start by understanding what is VRF. 

VRF: Virtual Router Forwarding, an IOS feature in which multiple forwarding tables are used, with the choice of which table to use is based upon additional data outside of a packet's IP header, such as the L3 input interface or an MPLS tag.

VRF-Lite: An implementation of VRF on CE devices in which forwarding table selection is done based upon the L3 input interface. In other words, VRF deployment without MPLS is known as VRF-Lite.

Inter-VRF Routing is an implementation of VRF-Lite in which route filtering is happening between different VRF's within a single box. This kind of design is generally seen with a hub-spoke kind of topology. I will now be demonstrating an example of Inter-VRF Routing in which you are making the traffic come from one interface and leave through a different interface and the filtering is all done using vrf-lite.

Consider the below topology:

 

In the above topology, Traffic is leaving the router from vrf A and the return packet is entering the router through vrf C. Lets now take a look at the configuration of both the routers to better understand this topology:

Config on R1:
=========
vrf definition A
rd 1:1
route-target export 2:2
!
address-family ipv4
exit-address-family
!
vrf definition B
rd 2:2   
 route-target export 3:3
route-target import 2:2
!        
 address-family ipv4
exit-address-family
!         
vrf definition C
rd 3:3   
 route-target import 3:3
!        
 address-family ipv4
exit-address-family
!         
interface Loopback1
vrf forwarding B
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 11
vrf forwarding A
ip address 12.12.12.1 255.255.255.252
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 22
vrf forwarding C
ip address 13.13.13.2 255.255.255.252
ip access-group test in
!
router bgp 100
bgp router-id 2.2.2.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
!
address-family ipv4 vrf A
  redistribute connected
  neighbor 12.12.12.2 remote-as 200
  neighbor 12.12.12.2 activate
exit-address-family
!
address-family ipv4 vrf B
  network 1.1.1.1 mask 255.255.255.255
  redistribute connected
exit-address-family
!
address-family ipv4 vrf C
  neighbor 13.13.13.1 remote-as 300
  neighbor 13.13.13.1 local-as 400
  neighbor 13.13.13.1 activate
  neighbor 13.13.13.1 send-community
exit-address-family
! 

Config on R2:
==========
ip vrf A
rd 1:1
route-target export 2:2
!
ip vrf B
rd 2:2
route-target export 3:3
route-target import 2:2
!
ip vrf C
rd 3:3
route-target import 3:3

interface Loopback2
ip vrf forwarding B
ip address 2.2.2.2 255.255.255.255
!    
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip vrf forwarding C
ip address 12.12.12.2 255.255.255.252
!         
interface GigabitEthernet0/1.3
encapsulation dot1Q 22
ip vrf forwarding A
ip address 13.13.13.1 255.255.255.252
!  
router bgp 200
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
!        
 address-family ipv4 vrf C
  redistribute connected
  neighbor 12.12.12.1 remote-as 100
  neighbor 12.12.12.1 activate
  neighbor 12.12.12.1 send-community
  no synchronization
exit-address-family
!        
 address-family ipv4 vrf B
  redistribute connected
  no synchronization
  network 2.2.2.2 mask 255.255.255.255
exit-address-family
!        
 address-family ipv4 vrf A
  redistribute connected
  neighbor 13.13.13.2 remote-as 400
  neighbor 13.13.13.2 local-as 300
  neighbor 13.13.13.2 activate
  neighbor 13.13.13.2 send-community
  no synchronization
exit-address-family
!

In the above config, lets make the value 1:1 as A, 2:2 as B and 3:3 as C respectively. You will now notice from the above config that R1, VRF A we export B, under vrf C we import C and under vrf B we import B and expert C. This kind of config makes it possible for the incoming and outgoing traffic take different paths. Lets now take a look at the routing table of all the vrf's on R1.

Output on R1:
=========
R1##sh ip route vrf A

Routing Table: A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [20/0] via 12.12.12.2, 5d19h
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.12.12.0/30 is directly connected, GigabitEthernet0/0/0.1
L        12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1

R1##sh ip route vrf B

Routing Table: B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback1
      2.0.0.0/32 is subnetted, 1 subnets
B        2.2.2.2 [20/0] via 12.12.12.2 (A), 5d19h
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        12.12.12.0/30 
           is directly connected (A), 5d19h, GigabitEthernet0/0/0.1
L        12.12.12.1/32 is directly connected, GigabitEthernet0/0/0.1

R1#sh ip route vrf C

Routing Table: C
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
B        1.1.1.1 is directly connected (B), 1d22h, Loopback1
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.13.13.0/30 is directly connected, GigabitEthernet0/0/0.3
L        13.13.13.2/32 is directly connected, GigabitEthernet0/0/0.3

We shall see the similar output on router R2. Lets now check the reachability on the router R1:

Output on R1:
==========
R1# ping vrf B 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Lets now take a look at the debug ip packet output on R2:

Output on R2:
==========
*May  1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May  1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May  1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May  1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB
*May  1 01:25:45.736: IP: s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), len 100, sending
*May  1 01:25:45.736: CEF: Try to CEF switch 2.2.2.2 from GigabitEthernet0/1
*May  1 01:25:45.736: IP: tableid=1, s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2 (Loopback2), routed via RIB
*May  1 01:25:45.736: IP: s=1.1.1.1 (GigabitEthernet0/1.1), d=2.2.2.2, len 100, rcvd 4
*May  1 01:25:45.736: IP: tableid=1, s=2.2.2.2 (local), d=1.1.1.1 (GigabitEthernet0/1.3), routed via FIB

From the above output, we will notice that the packet initially comes in via interface Gi0/1.1 and leaves the router via Gi0/1.3. Since we are using 7200 series router to demonstrate this topology, the packet is routed via RIB to the vrf B but if this was a ASR1k router, then the packet would have been forwarded via FIB which would cause all the packets to drop as there is no ipv4 route in the FIB in the receiving VRF. Lets see the result by replacing the R1 with ASR1k series router:

Output on R2:
==========
R2#ping vrf B 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
.....
Success rate is 0 percent (0/5)

Output on R1:
==========
R1#sh plat hardware qfp active statistics drop 
-------------------------------------------------------------------------
Global Drop Stats                         Packets                  Octets  
-------------------------------------------------------------------------
Ipv4NoRoute                                    27                    2700

We can see from the above output that the ping fails and with every ping drop, we will see the Ipv4NoRoute counter incrementing.

Hope this post helps in understanding Inter-VRF Routing.

Feel free to reach out in case you have any questions.

Cheers...!!!

Comments (2) -

  • Bob Luchi

    3/18/2014 4:53:05 PM |

    What do you mean that the 7200 forwards via the RIB and not the FIB? If you were to do "show ip cef vrf B 2.2.2.2" on R1, what would be the output? Then what would be the output on the ASR1k?

    Why would the ASR1k not install the entry in the FIB?

    Thanks for your help...I would test this out by my self, but unfortunately I don't have access to ASR1ks.

    Thanks!

  • Genie

    3/28/2014 11:45:53 AM |

    Hello Bob
    The “loopback” route is already in the RIB of both vrf C and B. When ping from 7200 to asr1k (2.2.2.2 -- > 1.1.1.1). This echo req packet does reaches asr1k through vrf C. Then asr1k searches the fib table and find that this packet is for-us packet. Then asr1k generates echo reply packet (1.1.1.1 -- > 2.2.2.2) and trying to send it out in vrf C. Here is what the problem is. In vrf C, we have no route to 2.2.2.2. So the icmp echo reply cannot send out.
    In ASR1k, we just route/forward packets based on the FIB table. In FIB table, we have no vrf information of 1.1.1.1.

    Hope this helps.

Comments are closed